429b19e6925619bdcf62d7582532d85335a5351eed117b35eee526221b8a3616

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-04-2024 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-06_d1ba0ff36d8ad7e5ccef163a7a3dd0b5_goldeneye.exe
Size

204KB
MD5

d1ba0ff36d8ad7e5ccef163a7a3dd0b5
SHA1

9c68ec4f87d364623f3aa1fd6b32f5ae54fb6e4e
SHA256

429b19e6925619bdcf62d7582532d85335a5351eed117b35eee526221b8a3616
SHA512

d44aecbf649553e29d03d9a3d7a1bf11e63a95aefc4acf6f9213bebed69c955c670b52334128104af1be8f65a38c8c15fbf6ac8de706238e320c83176f23c26e
SSDEEP

1536:1EGh0oEl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oEl1OPOe2MUVg3Ve+rXfMUy

Score

9^/10

persistence

Malware Config

Signatures

Auto-generated rule 12 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023201-2.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0007000000023202-6.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023209-8.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0008000000023202-13.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021df7-18.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0002000000021df8-22.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000021df7-26.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000707-30.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0003000000000709-35.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000707-37.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x0004000000000709-42.dat	GoldenEyeRansomware_Dropper_MalformedZoomit
behavioral2/files/0x000300000000072f-46.dat	GoldenEyeRansomware_Dropper_MalformedZoomit

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A5F89C2-C4D4-4ef0-8D9D-990F94C14048}	{4727C803-965D-4c9d-A7A6-B633F01E9C4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F1B76BF-60DD-44e4-8917-3238C5924623}	{8A5F89C2-C4D4-4ef0-8D9D-990F94C14048}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A85D8782-15F6-4f71-A70B-7FF7BF5C87CB}	{778482CE-BBBC-443e-A4B4-EFDAFDA14F4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{778482CE-BBBC-443e-A4B4-EFDAFDA14F4F}\stubpath = "C:\\Windows\\{778482CE-BBBC-443e-A4B4-EFDAFDA14F4F}.exe"	{2F1B76BF-60DD-44e4-8917-3238C5924623}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFECE766-E752-4e63-A31F-BDE370A79FCC}\stubpath = "C:\\Windows\\{CFECE766-E752-4e63-A31F-BDE370A79FCC}.exe"	{A85D8782-15F6-4f71-A70B-7FF7BF5C87CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0978817-234A-48b6-B70F-CF8CC5CC5E31}	{CFECE766-E752-4e63-A31F-BDE370A79FCC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0F4B388-B52C-4b5c-8066-3439F863BDA3}	{001ECC7E-209A-4837-ACC0-BFFB7291CD36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{481B1A6E-484A-4e5e-8E52-78EF8D4B70A0}\stubpath = "C:\\Windows\\{481B1A6E-484A-4e5e-8E52-78EF8D4B70A0}.exe"	{A0F4B388-B52C-4b5c-8066-3439F863BDA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8C91104-4270-4d02-B32C-EEB87FCBF406}\stubpath = "C:\\Windows\\{F8C91104-4270-4d02-B32C-EEB87FCBF406}.exe"	{481B1A6E-484A-4e5e-8E52-78EF8D4B70A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4727C803-965D-4c9d-A7A6-B633F01E9C4D}	{F8C91104-4270-4d02-B32C-EEB87FCBF406}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{778482CE-BBBC-443e-A4B4-EFDAFDA14F4F}	{2F1B76BF-60DD-44e4-8917-3238C5924623}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0978817-234A-48b6-B70F-CF8CC5CC5E31}\stubpath = "C:\\Windows\\{A0978817-234A-48b6-B70F-CF8CC5CC5E31}.exe"	{CFECE766-E752-4e63-A31F-BDE370A79FCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71D101E8-B647-4358-8063-E6D41A827981}\stubpath = "C:\\Windows\\{71D101E8-B647-4358-8063-E6D41A827981}.exe"	{A0978817-234A-48b6-B70F-CF8CC5CC5E31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{001ECC7E-209A-4837-ACC0-BFFB7291CD36}\stubpath = "C:\\Windows\\{001ECC7E-209A-4837-ACC0-BFFB7291CD36}.exe"	2024-04-06_d1ba0ff36d8ad7e5ccef163a7a3dd0b5_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F8C91104-4270-4d02-B32C-EEB87FCBF406}	{481B1A6E-484A-4e5e-8E52-78EF8D4B70A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4727C803-965D-4c9d-A7A6-B633F01E9C4D}\stubpath = "C:\\Windows\\{4727C803-965D-4c9d-A7A6-B633F01E9C4D}.exe"	{F8C91104-4270-4d02-B32C-EEB87FCBF406}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A85D8782-15F6-4f71-A70B-7FF7BF5C87CB}\stubpath = "C:\\Windows\\{A85D8782-15F6-4f71-A70B-7FF7BF5C87CB}.exe"	{778482CE-BBBC-443e-A4B4-EFDAFDA14F4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71D101E8-B647-4358-8063-E6D41A827981}	{A0978817-234A-48b6-B70F-CF8CC5CC5E31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFECE766-E752-4e63-A31F-BDE370A79FCC}	{A85D8782-15F6-4f71-A70B-7FF7BF5C87CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{001ECC7E-209A-4837-ACC0-BFFB7291CD36}	2024-04-06_d1ba0ff36d8ad7e5ccef163a7a3dd0b5_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0F4B388-B52C-4b5c-8066-3439F863BDA3}\stubpath = "C:\\Windows\\{A0F4B388-B52C-4b5c-8066-3439F863BDA3}.exe"	{001ECC7E-209A-4837-ACC0-BFFB7291CD36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{481B1A6E-484A-4e5e-8E52-78EF8D4B70A0}	{A0F4B388-B52C-4b5c-8066-3439F863BDA3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A5F89C2-C4D4-4ef0-8D9D-990F94C14048}\stubpath = "C:\\Windows\\{8A5F89C2-C4D4-4ef0-8D9D-990F94C14048}.exe"	{4727C803-965D-4c9d-A7A6-B633F01E9C4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F1B76BF-60DD-44e4-8917-3238C5924623}\stubpath = "C:\\Windows\\{2F1B76BF-60DD-44e4-8917-3238C5924623}.exe"	{8A5F89C2-C4D4-4ef0-8D9D-990F94C14048}.exe

Executes dropped EXE 12 IoCs

pid	Process
1948	{001ECC7E-209A-4837-ACC0-BFFB7291CD36}.exe
4808	{A0F4B388-B52C-4b5c-8066-3439F863BDA3}.exe
1780	{481B1A6E-484A-4e5e-8E52-78EF8D4B70A0}.exe
4512	{F8C91104-4270-4d02-B32C-EEB87FCBF406}.exe
508	{4727C803-965D-4c9d-A7A6-B633F01E9C4D}.exe
4448	{8A5F89C2-C4D4-4ef0-8D9D-990F94C14048}.exe
4792	{2F1B76BF-60DD-44e4-8917-3238C5924623}.exe
1864	{778482CE-BBBC-443e-A4B4-EFDAFDA14F4F}.exe
3736	{A85D8782-15F6-4f71-A70B-7FF7BF5C87CB}.exe
4624	{CFECE766-E752-4e63-A31F-BDE370A79FCC}.exe
400	{A0978817-234A-48b6-B70F-CF8CC5CC5E31}.exe
2308	{71D101E8-B647-4358-8063-E6D41A827981}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A0F4B388-B52C-4b5c-8066-3439F863BDA3}.exe	{001ECC7E-209A-4837-ACC0-BFFB7291CD36}.exe
File created	C:\Windows\{F8C91104-4270-4d02-B32C-EEB87FCBF406}.exe	{481B1A6E-484A-4e5e-8E52-78EF8D4B70A0}.exe
File created	C:\Windows\{4727C803-965D-4c9d-A7A6-B633F01E9C4D}.exe	{F8C91104-4270-4d02-B32C-EEB87FCBF406}.exe
File created	C:\Windows\{2F1B76BF-60DD-44e4-8917-3238C5924623}.exe	{8A5F89C2-C4D4-4ef0-8D9D-990F94C14048}.exe
File created	C:\Windows\{778482CE-BBBC-443e-A4B4-EFDAFDA14F4F}.exe	{2F1B76BF-60DD-44e4-8917-3238C5924623}.exe
File created	C:\Windows\{A85D8782-15F6-4f71-A70B-7FF7BF5C87CB}.exe	{778482CE-BBBC-443e-A4B4-EFDAFDA14F4F}.exe
File created	C:\Windows\{CFECE766-E752-4e63-A31F-BDE370A79FCC}.exe	{A85D8782-15F6-4f71-A70B-7FF7BF5C87CB}.exe
File created	C:\Windows\{001ECC7E-209A-4837-ACC0-BFFB7291CD36}.exe	2024-04-06_d1ba0ff36d8ad7e5ccef163a7a3dd0b5_goldeneye.exe
File created	C:\Windows\{481B1A6E-484A-4e5e-8E52-78EF8D4B70A0}.exe	{A0F4B388-B52C-4b5c-8066-3439F863BDA3}.exe
File created	C:\Windows\{8A5F89C2-C4D4-4ef0-8D9D-990F94C14048}.exe	{4727C803-965D-4c9d-A7A6-B633F01E9C4D}.exe
File created	C:\Windows\{A0978817-234A-48b6-B70F-CF8CC5CC5E31}.exe	{CFECE766-E752-4e63-A31F-BDE370A79FCC}.exe
File created	C:\Windows\{71D101E8-B647-4358-8063-E6D41A827981}.exe	{A0978817-234A-48b6-B70F-CF8CC5CC5E31}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1772	2024-04-06_d1ba0ff36d8ad7e5ccef163a7a3dd0b5_goldeneye.exe
Token: SeIncBasePriorityPrivilege	1948	{001ECC7E-209A-4837-ACC0-BFFB7291CD36}.exe
Token: SeIncBasePriorityPrivilege	4808	{A0F4B388-B52C-4b5c-8066-3439F863BDA3}.exe
Token: SeIncBasePriorityPrivilege	1780	{481B1A6E-484A-4e5e-8E52-78EF8D4B70A0}.exe
Token: SeIncBasePriorityPrivilege	4512	{F8C91104-4270-4d02-B32C-EEB87FCBF406}.exe
Token: SeIncBasePriorityPrivilege	508	{4727C803-965D-4c9d-A7A6-B633F01E9C4D}.exe
Token: SeIncBasePriorityPrivilege	4448	{8A5F89C2-C4D4-4ef0-8D9D-990F94C14048}.exe
Token: SeIncBasePriorityPrivilege	4792	{2F1B76BF-60DD-44e4-8917-3238C5924623}.exe
Token: SeIncBasePriorityPrivilege	1864	{778482CE-BBBC-443e-A4B4-EFDAFDA14F4F}.exe
Token: SeIncBasePriorityPrivilege	3736	{A85D8782-15F6-4f71-A70B-7FF7BF5C87CB}.exe
Token: SeIncBasePriorityPrivilege	4624	{CFECE766-E752-4e63-A31F-BDE370A79FCC}.exe
Token: SeIncBasePriorityPrivilege	400	{A0978817-234A-48b6-B70F-CF8CC5CC5E31}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 1948	1772	2024-04-06_d1ba0ff36d8ad7e5ccef163a7a3dd0b5_goldeneye.exe	97
PID 1772 wrote to memory of 1948	1772	2024-04-06_d1ba0ff36d8ad7e5ccef163a7a3dd0b5_goldeneye.exe	97
PID 1772 wrote to memory of 1948	1772	2024-04-06_d1ba0ff36d8ad7e5ccef163a7a3dd0b5_goldeneye.exe	97
PID 1772 wrote to memory of 4256	1772	2024-04-06_d1ba0ff36d8ad7e5ccef163a7a3dd0b5_goldeneye.exe	98
PID 1772 wrote to memory of 4256	1772	2024-04-06_d1ba0ff36d8ad7e5ccef163a7a3dd0b5_goldeneye.exe	98
PID 1772 wrote to memory of 4256	1772	2024-04-06_d1ba0ff36d8ad7e5ccef163a7a3dd0b5_goldeneye.exe	98
PID 1948 wrote to memory of 4808	1948	{001ECC7E-209A-4837-ACC0-BFFB7291CD36}.exe	99
PID 1948 wrote to memory of 4808	1948	{001ECC7E-209A-4837-ACC0-BFFB7291CD36}.exe	99
PID 1948 wrote to memory of 4808	1948	{001ECC7E-209A-4837-ACC0-BFFB7291CD36}.exe	99
PID 1948 wrote to memory of 1416	1948	{001ECC7E-209A-4837-ACC0-BFFB7291CD36}.exe	100
PID 1948 wrote to memory of 1416	1948	{001ECC7E-209A-4837-ACC0-BFFB7291CD36}.exe	100
PID 1948 wrote to memory of 1416	1948	{001ECC7E-209A-4837-ACC0-BFFB7291CD36}.exe	100
PID 4808 wrote to memory of 1780	4808	{A0F4B388-B52C-4b5c-8066-3439F863BDA3}.exe	102
PID 4808 wrote to memory of 1780	4808	{A0F4B388-B52C-4b5c-8066-3439F863BDA3}.exe	102
PID 4808 wrote to memory of 1780	4808	{A0F4B388-B52C-4b5c-8066-3439F863BDA3}.exe	102
PID 4808 wrote to memory of 1792	4808	{A0F4B388-B52C-4b5c-8066-3439F863BDA3}.exe	103
PID 4808 wrote to memory of 1792	4808	{A0F4B388-B52C-4b5c-8066-3439F863BDA3}.exe	103
PID 4808 wrote to memory of 1792	4808	{A0F4B388-B52C-4b5c-8066-3439F863BDA3}.exe	103
PID 1780 wrote to memory of 4512	1780	{481B1A6E-484A-4e5e-8E52-78EF8D4B70A0}.exe	104
PID 1780 wrote to memory of 4512	1780	{481B1A6E-484A-4e5e-8E52-78EF8D4B70A0}.exe	104
PID 1780 wrote to memory of 4512	1780	{481B1A6E-484A-4e5e-8E52-78EF8D4B70A0}.exe	104
PID 1780 wrote to memory of 2880	1780	{481B1A6E-484A-4e5e-8E52-78EF8D4B70A0}.exe	105
PID 1780 wrote to memory of 2880	1780	{481B1A6E-484A-4e5e-8E52-78EF8D4B70A0}.exe	105
PID 1780 wrote to memory of 2880	1780	{481B1A6E-484A-4e5e-8E52-78EF8D4B70A0}.exe	105
PID 4512 wrote to memory of 508	4512	{F8C91104-4270-4d02-B32C-EEB87FCBF406}.exe	106
PID 4512 wrote to memory of 508	4512	{F8C91104-4270-4d02-B32C-EEB87FCBF406}.exe	106
PID 4512 wrote to memory of 508	4512	{F8C91104-4270-4d02-B32C-EEB87FCBF406}.exe	106
PID 4512 wrote to memory of 1460	4512	{F8C91104-4270-4d02-B32C-EEB87FCBF406}.exe	107
PID 4512 wrote to memory of 1460	4512	{F8C91104-4270-4d02-B32C-EEB87FCBF406}.exe	107
PID 4512 wrote to memory of 1460	4512	{F8C91104-4270-4d02-B32C-EEB87FCBF406}.exe	107
PID 508 wrote to memory of 4448	508	{4727C803-965D-4c9d-A7A6-B633F01E9C4D}.exe	108
PID 508 wrote to memory of 4448	508	{4727C803-965D-4c9d-A7A6-B633F01E9C4D}.exe	108
PID 508 wrote to memory of 4448	508	{4727C803-965D-4c9d-A7A6-B633F01E9C4D}.exe	108
PID 508 wrote to memory of 1188	508	{4727C803-965D-4c9d-A7A6-B633F01E9C4D}.exe	109
PID 508 wrote to memory of 1188	508	{4727C803-965D-4c9d-A7A6-B633F01E9C4D}.exe	109
PID 508 wrote to memory of 1188	508	{4727C803-965D-4c9d-A7A6-B633F01E9C4D}.exe	109
PID 4448 wrote to memory of 4792	4448	{8A5F89C2-C4D4-4ef0-8D9D-990F94C14048}.exe	110
PID 4448 wrote to memory of 4792	4448	{8A5F89C2-C4D4-4ef0-8D9D-990F94C14048}.exe	110
PID 4448 wrote to memory of 4792	4448	{8A5F89C2-C4D4-4ef0-8D9D-990F94C14048}.exe	110
PID 4448 wrote to memory of 4336	4448	{8A5F89C2-C4D4-4ef0-8D9D-990F94C14048}.exe	111
PID 4448 wrote to memory of 4336	4448	{8A5F89C2-C4D4-4ef0-8D9D-990F94C14048}.exe	111
PID 4448 wrote to memory of 4336	4448	{8A5F89C2-C4D4-4ef0-8D9D-990F94C14048}.exe	111
PID 4792 wrote to memory of 1864	4792	{2F1B76BF-60DD-44e4-8917-3238C5924623}.exe	112
PID 4792 wrote to memory of 1864	4792	{2F1B76BF-60DD-44e4-8917-3238C5924623}.exe	112
PID 4792 wrote to memory of 1864	4792	{2F1B76BF-60DD-44e4-8917-3238C5924623}.exe	112
PID 4792 wrote to memory of 1908	4792	{2F1B76BF-60DD-44e4-8917-3238C5924623}.exe	113
PID 4792 wrote to memory of 1908	4792	{2F1B76BF-60DD-44e4-8917-3238C5924623}.exe	113
PID 4792 wrote to memory of 1908	4792	{2F1B76BF-60DD-44e4-8917-3238C5924623}.exe	113
PID 1864 wrote to memory of 3736	1864	{778482CE-BBBC-443e-A4B4-EFDAFDA14F4F}.exe	114
PID 1864 wrote to memory of 3736	1864	{778482CE-BBBC-443e-A4B4-EFDAFDA14F4F}.exe	114
PID 1864 wrote to memory of 3736	1864	{778482CE-BBBC-443e-A4B4-EFDAFDA14F4F}.exe	114
PID 1864 wrote to memory of 432	1864	{778482CE-BBBC-443e-A4B4-EFDAFDA14F4F}.exe	115
PID 1864 wrote to memory of 432	1864	{778482CE-BBBC-443e-A4B4-EFDAFDA14F4F}.exe	115
PID 1864 wrote to memory of 432	1864	{778482CE-BBBC-443e-A4B4-EFDAFDA14F4F}.exe	115
PID 3736 wrote to memory of 4624	3736	{A85D8782-15F6-4f71-A70B-7FF7BF5C87CB}.exe	116
PID 3736 wrote to memory of 4624	3736	{A85D8782-15F6-4f71-A70B-7FF7BF5C87CB}.exe	116
PID 3736 wrote to memory of 4624	3736	{A85D8782-15F6-4f71-A70B-7FF7BF5C87CB}.exe	116
PID 3736 wrote to memory of 4544	3736	{A85D8782-15F6-4f71-A70B-7FF7BF5C87CB}.exe	117
PID 3736 wrote to memory of 4544	3736	{A85D8782-15F6-4f71-A70B-7FF7BF5C87CB}.exe	117
PID 3736 wrote to memory of 4544	3736	{A85D8782-15F6-4f71-A70B-7FF7BF5C87CB}.exe	117
PID 4624 wrote to memory of 400	4624	{CFECE766-E752-4e63-A31F-BDE370A79FCC}.exe	118
PID 4624 wrote to memory of 400	4624	{CFECE766-E752-4e63-A31F-BDE370A79FCC}.exe	118
PID 4624 wrote to memory of 400	4624	{CFECE766-E752-4e63-A31F-BDE370A79FCC}.exe	118
PID 4624 wrote to memory of 2980	4624	{CFECE766-E752-4e63-A31F-BDE370A79FCC}.exe	119

C:\Users\Admin\AppData\Local\Temp\2024-04-06_d1ba0ff36d8ad7e5ccef163a7a3dd0b5_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-06_d1ba0ff36d8ad7e5ccef163a7a3dd0b5_goldeneye.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\{001ECC7E-209A-4837-ACC0-BFFB7291CD36}.exe
  C:\Windows\{001ECC7E-209A-4837-ACC0-BFFB7291CD36}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\{A0F4B388-B52C-4b5c-8066-3439F863BDA3}.exe
    C:\Windows\{A0F4B388-B52C-4b5c-8066-3439F863BDA3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Windows\{481B1A6E-484A-4e5e-8E52-78EF8D4B70A0}.exe
      C:\Windows\{481B1A6E-484A-4e5e-8E52-78EF8D4B70A0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1780
    - - C:\Windows\{F8C91104-4270-4d02-B32C-EEB87FCBF406}.exe
        
        C:\Windows\{F8C91104-4270-4d02-B32C-EEB87FCBF406}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4512
      - C:\Windows\{4727C803-965D-4c9d-A7A6-B633F01E9C4D}.exe
        
        C:\Windows\{4727C803-965D-4c9d-A7A6-B633F01E9C4D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:508
        
        C:\Windows\{8A5F89C2-C4D4-4ef0-8D9D-990F94C14048}.exe
        
        C:\Windows\{8A5F89C2-C4D4-4ef0-8D9D-990F94C14048}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\{2F1B76BF-60DD-44e4-8917-3238C5924623}.exe
        
        C:\Windows\{2F1B76BF-60DD-44e4-8917-3238C5924623}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\{778482CE-BBBC-443e-A4B4-EFDAFDA14F4F}.exe
        
        C:\Windows\{778482CE-BBBC-443e-A4B4-EFDAFDA14F4F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\{A85D8782-15F6-4f71-A70B-7FF7BF5C87CB}.exe
        
        C:\Windows\{A85D8782-15F6-4f71-A70B-7FF7BF5C87CB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\{CFECE766-E752-4e63-A31F-BDE370A79FCC}.exe
        
        C:\Windows\{CFECE766-E752-4e63-A31F-BDE370A79FCC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\{A0978817-234A-48b6-B70F-CF8CC5CC5E31}.exe
        
        C:\Windows\{A0978817-234A-48b6-B70F-CF8CC5CC5E31}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
        
        C:\Windows\{71D101E8-B647-4358-8063-E6D41A827981}.exe
        
        C:\Windows\{71D101E8-B647-4358-8063-E6D41A827981}.exe
        13⤵
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0978~1.EXE > nul
        13⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFECE~1.EXE > nul
        12⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A85D8~1.EXE > nul
        11⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77848~1.EXE > nul
        10⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F1B7~1.EXE > nul
        9⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A5F8~1.EXE > nul
        8⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4727C~1.EXE > nul
        7⤵
        
        PID:1188
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8C91~1.EXE > nul
        6⤵
        
        PID:1460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{481B1~1.EXE > nul
        5⤵
        
        PID:2880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A0F4B~1.EXE > nul
      4⤵
      PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{001EC~1.EXE > nul
    3⤵
    PID:1416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{001ECC7E-209A-4837-ACC0-BFFB7291CD36}.exe

Filesize
204KB

MD5
33ec0b4baf523cdbc64bdb75da8d2aa1

SHA1
b72427265dfebf2ec64373e46d3a9318824a964b

SHA256
d12651125633150455b2adefd1e7b77a704e6b2a6c6c8278a4b51d11ac05c802

SHA512
df3a27e2e6bf346fa910d6111dc50752f011d032601e644ee8d8131c70312f6aa9cfbd57385d5d216f0aecd59b41bfa741fe4e7ed979e7a89025496ae133636f

Download Submit
C:\Windows\{2F1B76BF-60DD-44e4-8917-3238C5924623}.exe

Filesize
204KB

MD5
6ff2089cf0cdab2571f9a33885223af3

SHA1
2ca26dda1cf78ef14e240257be353b0246e79fb3

SHA256
51c3c41717fea44bc8819508e2faaaa154e413c09314beed74d856808cfdd07d

SHA512
30547f09868419909a56d6ed1b707a3d142cea7d131ee789efd1046178c2951872b2e1b2741afabfe17ab1ec34531dfb2d57336f53e20b057f5be08ddf3e4fe6

Download Submit
C:\Windows\{4727C803-965D-4c9d-A7A6-B633F01E9C4D}.exe

Filesize
204KB

MD5
163afb66afa5caa93fae7d3b355b69fe

SHA1
9e816c29f3d51bb0e5fcbb98a0f8e08cebdb9eea

SHA256
a00907fab09e111c17e9585d252bb0fdca16f4cf77b4059f80456e13e6236c8f

SHA512
a514dd2a4ad853253e8ea6ef5234baa41cbd8546f0334cd9af90a9494c88674d8917c4985d325afd3f1df9df310229df00d47d7f146b49878e1597607f8232bf

Download Submit
C:\Windows\{481B1A6E-484A-4e5e-8E52-78EF8D4B70A0}.exe

Filesize
204KB

MD5
0c02a49a9012c3ff5c7f2ffd230a3a91

SHA1
245514b0a282ecbe7f0963d7e926d1d47fa180a1

SHA256
4d261b1bd1de408a7fc5761b47f8f737c03308032cd381a7d40d86021d9401e2

SHA512
0b81d0abbcae983652cac95645a268207c8e2b0b05d4f575ef5f523e63aeecbf94cba706561c22c67957ec6483a298e9416ae9cfed7e1529cea8fa25708b477e

Download Submit
C:\Windows\{71D101E8-B647-4358-8063-E6D41A827981}.exe

Filesize
204KB

MD5
3477362ebea3bbbd3b87ca31e845e01f

SHA1
c0817a6bfe55ae77d2ba03b71401ed515cbcb572

SHA256
bbef8618f840ec4dcb4a35addef2ad4ef71b74410091481314713850aeaed21e

SHA512
94463821d655bf1316201f2385e83e683e2bfe9f177aaf922500d8e6b74ae946bbd3e09edb43a4aa2b3a1a6c27a197367509e0cc35734bfa7eaa85d62314787c

Download Submit
C:\Windows\{778482CE-BBBC-443e-A4B4-EFDAFDA14F4F}.exe

Filesize
204KB

MD5
0d31ca2901cec99e364c84ecb3d50442

SHA1
86555dcee30b69b9f52b2119d012611e724fdaeb

SHA256
3d1fedfebce79171b0bef12a2bcb269b5917d0590804d03d9926bde816c718a4

SHA512
319e118e7a59e58f66fabb6aa50ffef3aaa53ed2776b9dad6e471381cb3ae8fae2999323db2f2762a85302266fc178433fc97d0421f53a523d7578a7e83fc76e

Download Submit
C:\Windows\{8A5F89C2-C4D4-4ef0-8D9D-990F94C14048}.exe

Filesize
204KB

MD5
4243bc371bfc1a3b9768150a81eaa5c9

SHA1
6c7978ac1bc221c19d9871c985715080f829b054

SHA256
9de68a7a5fe53d4fd79b5336f704dc4cc3b62e58e6c2f3c66830494364042744

SHA512
654ebf47f5c6774a3646577bf80d0fc9d907fc7f111218c8f715b15ca84dd9fe3054ab860ea44b7ee266476018de074b83cb4d8c094159835d1eae0d1d68bfea

Download Submit
C:\Windows\{A0978817-234A-48b6-B70F-CF8CC5CC5E31}.exe

Filesize
204KB

MD5
b7ced03fd0ad70c7e42b07f164a450d4

SHA1
f2b746dab6d24c737b636ed13e87fedb02dd12cf

SHA256
37299d578887ad0e7fed2910770dae4f1bdd2f17faa8fe7e2345ac6deb743d06

SHA512
71e7d05616d45387342709af274f8a332db1293c2693520800f0c24cb78b9759c7d015f190d5d3c1d8c884b4356bc9daaf705fe27cdb211d9a70f7a3435589e8

Download Submit
C:\Windows\{A0F4B388-B52C-4b5c-8066-3439F863BDA3}.exe

Filesize
204KB

MD5
305c7e24a87a28d8602bb91ac4c5dd7a

SHA1
ae6920d3bdf21cf8f94d3b4468ff557641414356

SHA256
4135c32bfd74c65433b72c3d8683de72e7c778c7e3243ab28e6bc06a8fc14b28

SHA512
aaf17a9b787bf174d861517ee0573bd8d4a6f470d1ccd44f57287574ae054e08f9c796e241cbef24a0f878af0f7edd646dfa33cde274c6a6811899d5feced5d6

Download Submit
C:\Windows\{A85D8782-15F6-4f71-A70B-7FF7BF5C87CB}.exe

Filesize
204KB

MD5
2aebdc2c023efc35cdd790be52f56b22

SHA1
d34361ad14531eea55399be021172919bdb50c6e

SHA256
44444ce2dd9a6137a7686c8d011ea75ff268b4a9b359a8aa09b32f7d4a28069f

SHA512
5e9bce8e3a44c4b005743c1bbdc4df69f72b60b59b4e9f0b62542cdc2a89979768d8f04a342db1b1953d21412b685dc55d1731cbabc32c8fb2294d0f73ac96a9

Download Submit
C:\Windows\{CFECE766-E752-4e63-A31F-BDE370A79FCC}.exe

Filesize
204KB

MD5
2c7c21cf1c0ba90c45f0bc7c4bbdbad0

SHA1
a41510636edf48d829fc8887bef238c48fa11a3d

SHA256
2444cd044b9fbd9b7b230872c374ede8db7a4a66447d2bceb5da6b8c46b76339

SHA512
019f5c7f56b3cdab7ece9a144b15ca2861cffaa431ab505ee6817de0617befea0aff05e3268162f4de795a0c32da149aff03221d9bc508f0c70b7ff4e0335604

Download Submit
C:\Windows\{F8C91104-4270-4d02-B32C-EEB87FCBF406}.exe

Filesize
204KB

MD5
4353b3ad2850ba216829c09aa17fd421

SHA1
473c5b9051a7108317ee684f14db22e1d0ebae5d

SHA256
59a7546e36dd496e472e59618f58d71632c32e1ae7f729e7c79c49690298645b

SHA512
9eeea1ca0433b2f779fc34d59ef08e2291b7530a2481e278eee1a65ad79941a9cbee60c16a4a1606436e9594d4844e12744f30afa11e173951837927bf9be902

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads